• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 513
  • Last Modified:

Accessing external Hosted Exchange 2010 from within SBS2003R2 network (ISA2004)

Hi Guys,

I have an SBS2003R2 network with ISA2004 (dual port server, etc)
I'm moving our mail system to a hosted exchange setup external to the local network (all of the DNS is setup and the mailboxes work OK, no mx is pointing to the internal Exchange2003 box)
I have also removed the domains from the recipient policies.

OK I can connect to the hosted exchange server through RPC over http with a PC connected directly on the router (so on the external side of the SBS2003 box)

I can't connect a domain connected PC to the hosted Exchange2010 server using similar methods. What ports etc need opening through ISA2004 to do this please.

I have read that the IP of the remote exchange server needs to be added to the LAT for this but have not been able to verify or obtain any background on this.

Can anyone help please ????

  • 7
  • 3
1 Solution
Suliman Abu KharroubIT Consultant Commented:
does you internal domain name is the same as your external doamin name ? for example mydomain..com
TrevorWhiteIT ConsultantAuthor Commented:
Hi Sulimanw
No the internal domain is WhytecDomain.local external is Whytec.com
The SBS setup is pretty much OK (I manage a number of these for clients)
This is the first SBS where I have had to migrate SBS2003/EXCHANGE2003 to Hosted Exchange IE Exchange organisation is external to the local server.

Can I take it this is doable ???

TrevorWhiteIT ConsultantAuthor Commented:

Hosted Exchange is accessed by RPC/HTTP connection. I've been involved with this when accessing SBS Exchange mailboxes through externally connected internet PC's (IE inbound to to SBS box) but makiing an outbound RPS/HTTP connection to an external Exchange mailbox isn't really an SBS operation. Hence I'm stuck as I don't know what ports etc are required through the ISA2004 firewall.

Can anyone help tonight, I could do with getting this sorted asap.

Regards in advance

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

TrevorWhiteIT ConsultantAuthor Commented:
Really could do with some help on this guys. I have spent the evening trawling the internet for some info but no conclusion. Small Bus server forum says this should be possible out of the box.

I have an outlook profile configured with the external exchange address (this was setup with the PC connected directly to the internet through router) all worked fine. As soon as I attache the same PC to the internal subnet (the SBS domain) I get 'Trying to connect to the exchange server' and ultimately 'Disconnected'

Tried this with the MS firewall client enabled and disabled, still the same.

Help, don't know how to proceed.

Suliman Abu KharroubIT Consultant Commented:
while directlly attached... right ctrl+right click on outlook icon on the notification area then connecion status --> how does it connect ? http or tcp ? if http/s then just make sure to create an access rule allowing http/s from internal to external.... if not yet.

another thing to check, from internal network. test dns:

set q=mx

does it return the  correct ip address ?

do you have a dns zone domain.com in your internal DNS server ?

while outlook trying to connect---> go to ISA monitor and set the filter to client IP address.. and see what is going on... which rule blocks the traffic.
TrevorWhiteIT ConsultantAuthor Commented:
Hi SulimanW,
Thanks for the steering with this !!!
Direct connection is indeed HTTPS. I can access HTTPS sites from within the SBS domain (I do this regularly to access https://server.Customer.com/Exchange - which is a customers OWA service) I have also visited some HTTPS test sites.

The nslookup on ilsexc01.ilsexchange.infologicinternet.com gives 'Non-existent domain . . . this is the URL provided for entry in the Exchange server name. The server HTTPS address is exchange.infologicinternet.co.uk This gives :
Primary Name Server = ns1-hosts.srsplus.com
responsible mail addr = hostmaster.srsplus.com
serial = 1301396667
refresh 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 86400 (1 day)

I have looked in the DNS and not found a whytec.com domain zone. I don't recall setting up any split DNS setup in the past either.

Client IP is
I setup an ISA log filtered on and the connection is indeed rejected on the HTTPS request. ( 443 HTTPS Denied Connection SBS Internet Access Rule
I have attached the full log incase it is illuminating.

So why does the SBS Internet Access Rule reject an HTTPS connection attempt over 443 when other https traffic is passed. Is there a way forward to determine why the request fails ???


TrevorWhiteIT ConsultantAuthor Commented:
Whoop, whoop !!!
All sorted after realisation that is really was a rule based issue in ISA2004.
I have added a new Internet Access rule to specifically pass HTTPS for all users to from localhost and Internal network. Connections are now made and Outlook syncs up OK.

Would still like to know why this is necessary. Can you explain ???
Points are your of course, thanks so much for the pertinant comments and steers.

Suliman Abu KharroubIT Consultant Commented:
You are welcome :) Glad to hear that..

I think blow is the cause:
Does the old rule have localhost in from tab ? if so, then you client is connected to the internet by using webproxy method... and in this case only rules which applied on the localhost will be applied on the clients.
TrevorWhiteIT ConsultantAuthor Commented:
Ah yes I follow you.
Just checked the standard SBS rule and it is for 'All protected networks' so I guess 'local host' is some sort of exception to that even though it is part of the 'protected network' subnet.

So great work, Sulimanw. Thanks for your time and persistence with this I do appreciate it.

I'll close this up now and award the points, please do add anything that may be helpfull for others in the future though.

TrevorWhiteIT ConsultantAuthor Commented:
One thing to come out of this for me is that 'localhost' is an exception to 'All protected networks'
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now